A consortium of security firms calling themselves Operation Blockbuster, led by Novetta, named a closely-knit collection of hackers it has dubbed the Lazarus Group as the perpetrator behind the 2014 Sony Pictures Entertainment hack.
Operation Blockbuster, which includes Kaspersky Lab, AlienVault, Symantec and ThreatConnect, issued a report on 24 February detailing its investigation into the attack and the group that pulled it off. The 58-page study's primary takeaway is that while the security companies cannot pin the Sony attack on a specific nation-state - North Korea was named the culprit by the US Federal Bureau of Investigation - it did say evidence shows the toolset used to hack Sony, which included the Destover trojan, could be traced to earlier attacks against South Korea. North Korea has been suspected in multiple cyber-attacks against its southern neighbour.
“Although our analysis cannot support direct attribution of a nation-state or other specific group due to the difficulty of proper attribution in the cyber realm, the FBI's official attribution claims could be supported by our findings,” the report stated, adding: “We strongly believe that the SPE (Sony Pictures Entertainment) attack was not the work of insiders or hacktivists. Instead, given the malicious tools and previous cyber operations linked to these tools, it appears that the SPE attack was carried out by a single group.”
Operation Blockbuster participant Symantec would not comment on whether or not North Korea is involved with Lazarus. However, a spokesperson told SCMagazine.com in an email Thursday that a Symantec Security Response blog post on the topic said, “Aggressive attacks linked to Lazarus continued in 2014 and the group was linked to Backdoor.Destover, a highly destructive Trojan that was the subject of an FBI warning after it was used in an attack against Sony Pictures Entertainment. The FBI concluded that the North Korean government was responsible for this attack.”
Attacks by Lazarus can be dated to 2009 with possibly the first use of the Dozer trojan to knock US and South Korean websites offline with a distributed denial of service (DDoS) attack. This was followed up in 2011 with additional DDoS attacks against South Korean properties using the Koredos trojan, Symantec's team blog said.
Sony was not the only target. Operation Blockbuster researchers noted that the malware used could be found in attacks on a wide range of countries and organisations with the United States, Taiwan and China.